This document is a NOTE made available by the W3 Consortium for discussion only. This
indicates no endorsement of its content, nor that the Consortium has, is, or will be
allocating any resources to the issues addressed by the NOTE.

This document is a submission to W3C from Engage Technologies, Inc. Please see <http://www.w3.org/Submission/>Acknowledged Submissions to W3C
regarding its disposition.

Abstract

This document defines an extension to the PICS-1.1 label format to allow labels to
refer to specific HTTP cookies. The extension is referenced in the IETF
internet draft: <ftp://ietf.org/internet-drafts/draft-ietf-http-jaye-trust-state-01.txt>
Trust Mechanism for State Management. The purpose of this extension and the internet
draft is to allow PICS rating systems to provide information about the server practices
with regard to HTTP cookies. In particular, this extension can be used to apply the
principles of the P3P project to address privacy concerns about HTTP cookies.

Introduction

The W3C is currently addressing many of the issues concerning user privacy as part of
the P3P project. In addition, the IETF has encountered privacy issues with regard to
the use of HTTP cookies as a state management mechanism. An internet draft has been
submitted to the IETF to provide a mechanism for web sites to communicate to user agents
their privacy practices with respect to HTTP cookies.

PICS Label headers (which may be digitally signed according to the DSig Specification) were seen as the ideal mechanism for
labeling the privacy practices. However, a need was determined to be able to
associate a PICS Label header with specific cookies in the same server response.
This extension is proposed to provide that association.

Cookie Information Extension

The goal of the cookie block (cookieinfo) extension is to provide an association
between the PICS label and one or more HTTP cookies. The cookieinfo extension
builds upon the PICS 1.1 for and gen options to provide this link.
Specifically, the cookieinfo extension provides a mechanism for enumerating the
HTTP cookie names to which the label applies. The for and gen options
are used to determine compatibility with the domain and path attributes of the cookie as
described in <ftp://ietf.org/internet-drafts/draft-ietf-http-jaye-trust-state-01.txt>Trust
Mechanism for State Management. In addition, the cookie block indicates that this label
applies to cookies in the response header and not to the URI being requested.
If no cookie names are enumerated, then the label applies to all cookies compatible with
the for and gen options.

Usage notes:

There can be at most 1 cookieinfo extension per label.

The cookieinfo extension must be a "mandatory" extension. Mandatory
implies that the software reading the label that contains the extension must understand an
extension of type http://www.w3.org/PICS/extensions/cookieinfo-1_0.html
or the entire label should be disregarded. This allows user agents to recognize that
this is a label for http cookies.

Detailed Syntax of the Cookieinfo Extension in a PICS 1.1 label

The following syntax of the cookieinfo extension is written in modified BNF. By
convention, '*' indicates 0 or more instances of the token that precedes the special
character, '*1' indicates 0 or 1 instance of the token, and '+' indicates 1 or more
instances of the token. The Quoted strings are case sensitive but other literal elements
are case insensitive.

Examples

In this example, we begin with the extension ( mandatory tokens which identify
this extension as an mandatory extension to the PICS label within which it is contained.
This declaration is followed by a URL, http://www.w3.org/PICS/extensions/cookieinfo-1_0.html,
which provides a unique name for the extension. De-referencing the URL provides human
readable information on the extension. Finally we have a quoted cookie name value
indicating the specific http cookie to which the label applies.